Azure 自动化中的证书资产Certificate assets in Azure Automation

证书将安全地存储在 Azure 自动化中,以便可以使用 Azure 资源管理器资源的 Get-AzureRmAutomationCertificate 活动通过 Runbook 或 DSC 配置访问这些证书。Certificates are stored securely in Azure Automation so they can be accessed by runbooks or DSC configurations using the Get-AzureRmAutomationCertificate activity for Azure Resource Manager resources. 此功能允许创建使用证书进行身份验证的 Runbook 和 DSC 配置,或者将证书添加到 Azure 或第三方资源。This capability allows you to create runbooks and DSC configurations that use certificates for authentication or adds them to Azure or third-party resources.

备注

Azure 自动化中的安全资产包括凭据、证书、连接和加密的变量。Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. 这些资产已使用针对每个自动化帐户生成的唯一密钥加密并存储在 Azure 自动化中。These assets are encrypted and stored in Azure Automation using a unique key that is generated for each automation account. 此密钥存储在系统托管的密钥保管库中。This key is stored in a system managed Key Vault. 在存储安全资产之前,从密钥保管库加载密钥,然后使用该密钥加密资产。Before storing a secure asset, the key is loaded from Key Vault and then used to encrypt the asset. 此过程由 Azure 自动化管理。This process is managed by Azure Automation.

AzureRM PowerShell cmdletAzureRM PowerShell cmdlets

对于 AzureRM,下表中的 cmdlet 用于通过 Windows PowerShell 创建和管理自动化凭据资产。For AzureRM, the cmdlets in the following table are used to create and manage automation credential assets with Windows PowerShell. 可在自动化 Runbook 和 DSC 配置中使用的 AzureRM.Automation 模块已随附了这些 cmdlet。They ship as part of the AzureRM.Automation module, which is available for use in Automation runbooks and DSC configurations.

CmdletCmdlets 说明Description
Get-AzureRmAutomationCertificateGet-AzureRmAutomationCertificate 检索有关要在 Runbook 或 DSC 配置中使用的证书的信息。Retrieves information about a certificate to use in a runbook or DSC configuration. 只能从 Get-AutomationCertificate 活动中检索证书本身。You can only retrieve the certificate itself from Get-AutomationCertificate activity.
New-AzureRmAutomationCertificateNew-AzureRmAutomationCertificate 将新证书创建到 Azure 自动化中。Creates a new certificate into Azure Automation.
Remove-AzureRmAutomationCertificateRemove-AzureRmAutomationCertificate 从 Azure自动化中删除证书。Removes a certificate from Azure Automation.
Set-AzureRmAutomationCertificateSet-AzureRmAutomationCertificate 设置现有证书的属性,包括上传证书文件和设置 .pfx 的密码。Sets the properties for an existing certificate including uploading the certificate file and setting the password for a .pfx.
Add-AzureCertificateAdd-AzureCertificate 为指定的云服务上传服务证书。Uploads a service certificate for the specified cloud service.

活动Activities

下表中的活动用于在 Runbook 和 DSC 配置中访问证书。The activities in the following table are used to access certificates in a runbook and DSC configurations.

活动Activities 说明Description
Get-AutomationCertificateGet-AutomationCertificate 在 Runbook 或 DSC 配置中获取要使用的证书。Gets a certificate to use in a runbook or DSC configuration. 返回一个 System.Security.Cryptography.X509Certificates.X509Certificate2 对象。Returns a System.Security.Cryptography.X509Certificates.X509Certificate2 object.

备注

应避免在 Runbook 或 DSC 配置中的 Get-AutomationCertificate 的 - Name 参数中使用变量,因为这可能会使设计时发现 Runbook 或 DSC 配置与自动化变量之间的依赖关系变得复杂化。You should avoid using variables in the -Name parameter of Get-AutomationCertificate in a runbook or DSC configuration as it complicates discovering dependencies between runbooks or DSC configuration, and Automation variables at design time.

Python2 函数Python2 functions

下表中的函数用于在 Python2 Runbook 中访问证书。The function in the following table is used to access certificates in a Python2 runbook.

函数Function 说明Description
automationassets.get_automation_certificateautomationassets.get_automation_certificate 检索有关证书资产的信息。Retrieves information about a certificate asset.

备注

必须在 Python Runbook 开头部分导入 automationassets 模块才能访问资产函数。You must import the automationassets module in the beginning of your Python runbook in order to access the asset functions.

创建新证书Creating a new certificate

创建新证书时,需要将 .cer 或 .pfx 文件上传到 Azure 自动化。When you create a new certificate, you upload a .cer or .pfx file to Azure Automation. 将证书标记为可导出后,可以将其转出 Azure 自动化证书存储区。If you mark the certificate as exportable, then you can transfer it out of the Azure Automation certificate store. 如果证书不可导出,则它只可用于在 Runbook 或 DSC 配置中签名。If it isn't exportable, then it can only be used for signing within the runbook or DSC configuration. Azure 自动化要求证书具有以下提供程序:Microsoft 增强 RSA 和 AES 加密提供程序 。Azure Automation requires the certificate to have the provider: Microsoft Enhanced RSA and AES Cryptographic Provider.

使用 Azure 门户创建新证书To create a new certificate with the Azure portal

  1. 在自动化帐户中,单击“资产” 磁贴打开“资产” 页。From your Automation account, click the Assets tile to open the Assets page.
  2. 单击“证书” 磁贴打开“证书” 页。Click the Certificates tile to open the Certificates page.
  3. 单击页面顶部的“添加证书” 。Click Add a certificate at the top of the page.
  4. 在“名称”框中键入证书的名称 。Type a name for the certificate in the Name box.
  5. 若要浏览 .cer 或.pfx 文件,请单击“上传证书文件” 下的“选择文件” 。To browse for a .cer or .pfx file, click Select a file under Upload a certificate file. 如果选择了 .pfx 文件,请指定密码,以及是否可以导出该文件。If you select a .pfx file, specify a password and whether it can be exported.
  6. 单击“创建”以保存新的证书资产 。Click Create to save the new certificate asset.

使用 PowerShell 创建新证书To create a new certificate with PowerShell

以下示例演示了如何创建新的自动化证书并将其标记为可导出。The following example demonstrates how to create a new Automation certificate and mark it exportable. 这会导入现有的 .pfx 文件。This imports an existing .pfx file.

$certificateName = 'MyCertificate'
$PfxCertPath = '.\MyCert.pfx'
$CertificatePassword = ConvertTo-SecureString -String 'P@$$w0rd' -AsPlainText -Force
$ResourceGroup = "ResourceGroup01"

New-AzureRmAutomationCertificate -AutomationAccountName "MyAutomationAccount" -Name $certificateName -Path $PfxCertPath -Password $CertificatePassword -Exportable -ResourceGroupName $ResourceGroup

使用资源管理器模板创建新证书Create a new certificate with Resource Manager template

以下示例演示如何通过 PowerShell 使用资源管理器模板将证书部署到自动化帐户:The following example demonstrates how to deploy a certificate to your Automation Account using a Resource Manager template through PowerShell:

$AutomationAccountName = "<automation account name>"
$PfxCertPath = '<PFX cert path>'
$CertificatePassword = '<password>'
$certificateName = '<certificate name>'
$AutomationAccountName = '<automation account name>'
$flags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable `
    -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet `
    -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet
# Load the certificate into memory
$PfxCert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($PfxCertPath, $CertificatePassword, $flags)
# Export the certificate and convert into base 64 string
$Base64Value = [System.Convert]::ToBase64String($PfxCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12))
$Thumbprint = $PfxCert.Thumbprint


$json = @"
{
    '`$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#',
    'contentVersion': '1.0.0.0',
    'resources': [
        {
            'name': '$AutomationAccountName/$certificateName',
            'type': 'Microsoft.Automation/automationAccounts/certificates',
            'apiVersion': '2015-10-31',
            'properties': {
                'base64Value': '$Base64Value',
                'thumbprint': '$Thumbprint',
                'isExportable': true
            }
        }
    ]
}
"@

$json | out-file .\template.json
New-AzureRmResourceGroupDeployment -Name NewCert -ResourceGroupName TestAzureAuto -TemplateFile .\template.json

使用证书Using a certificate

若要使用证书,请使用 Get-AutomationCertificate 活动。To use a certificate, use the Get-AutomationCertificate activity. 不能使用 Get-AzureRmAutomationCertificate cmdlet,因为它返回有关证书资产的信息,而不是证书本身的信息。You can't use the Get-AzureRmAutomationCertificate cmdlet since it returns information about the certificate asset but not the certificate itself.

文本 Runbook 示例Textual runbook sample

以下示例代码演示了如何将证书添加到 Runbook 中的云服务。The following sample code shows how to add a certificate to a cloud service in a runbook. 在此示例中,已从加密的自动化变量检索了密码。In this sample, the password is retrieved from an encrypted automation variable.

$serviceName = 'MyCloudService'
$cert = Get-AutomationCertificate -Name 'MyCertificate'
$certPwd = Get-AzureRmAutomationVariable -ResourceGroupName "ResourceGroup01" `
-AutomationAccountName "MyAutomationAccount" -Name 'MyCertPassword'
Add-AzureCertificate -ServiceName $serviceName -CertToDeploy $cert

图形 Runbook 示例Graphical runbook sample

通过在“库”窗格中右键单击证书并选择“添加到画布” ,将 Get-AutomationCertificate 添加到图形 Runbook。You add a Get-AutomationCertificate to a graphical runbook by right-clicking on the certificate in the Library pane and selecting Add to canvas.

将证书添加到画布

下图显示了在图形 Runbook 中使用证书的示例。The following image shows an example of using a certificate in a graphical runbook. 这与上面演示如何从文本 Runbook 向云服务添加证书的示例相同。This is the same as the preceding example that shows how to add a certificate to a cloud service from a textual runbook.

示例图形创作

Python2 示例Python2 sample

以下示例演示了如何在 Python2 Runbook 中访问证书。The following sample shows how to access certificates in Python2 runbooks.

# get a reference to the Azure Automation certificate
cert = automationassets.get_automation_certificate("AzureRunAsCertificate")

# returns the binary cert content  
print cert

后续步骤Next steps

  • 若要详细了解如何使用链接控制 runbook 旨在执行的活动的逻辑流,请参阅图形创作中的链接To learn more about working with links to control the logical flow of activities your runbook is designed to perform, see Links in graphical authoring.